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DETAILED ACTION 

1 . Claims 1-17 have been presented for examination. * 

Claim Objections 

2. Claim 10 is objected to because of the following informalities: Claim 10 recites 
"provided at for a fee to the vendor/' which is grammatically incorrect. For the sake of 
examination, claim 10 will be interpreted as "provided for a fee to the vendor/' 

3. Appropriate correction is required. 

Claim Rejections - 35 USC § 112 

4. The following is a quotation of the second paragraph of 35 U.S.C. 1 12: 

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the 
subject matter which the applicant regards as his invention. 

5. Claims 2, 6, and 7 are rejected under 35 U.S.C. 1 12, second paragraph, as being 
indefinite for failing to particularly point out and distinctly claim the subject matter which 
applicant regards as the invention. Claims 2, 6, and 7 recite the limitation "the vendor." There is 
insufficient antecedent basis for this limitation in the claim, and the Examiner will construe "the 
vendor" to be the "second parties" disclosed in claim 1 . 

Claim Rejections - 35 USC §102 

6. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless — 

(a) the invention was known or used by others in this country, or patented or described in a printed publication in this 
or a foreign country, before the invention thereof by the applicant for a patent. 

(e) the invention was described in (1) an application for patent, published under section 122(b), by another filed 
in the United States before the invention by the applicant for patent or (2) a patent granted on an application for 
patent by another filed in the United States before the invention by the applicant for patent, except that an 
international application filed under the treaty defined in section 351(a) shall have the effects for purposes of this 
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subsection of an application filed in the United States only if the international application designated the United 
States and was published under Article 21(2) of such treaty in the English language. 

7. Claims 1-4, 8, 11, and 13-15 are rejected under 35 U.S.C. 102(a) and 35 U.S.C. 102(e) as 
being anticipated by U.S. Patent Application Publication No. 2002/0138417. 

8. As per claim 1, Lawrence teaches a transaction involving a disclosure of confidential 
information by first parties to second parties (paragraph [0014], i.e. financial transaction), 
requiring the second parties to adopt security measures with respect to the handling of the 
information and periodically respond to requests of the first parties for assurances of the 
implementation and observance of the security measures (paragraphs [0002], [0016], [0017]), a 
method for providing the assurances to the first parties, comprising: 

arranging with a selected number of the second parties to acquire, compile and store in a 
database information regarding the security measures for each of the selected number of second 
parties (Figures 3 [block 312], 4 [block 410], paragraphs [0031], [0079], i.e. gathers and stores 
information in a database related to a risk assessment of a party involved in a financial 
transaction); 

arranging with a selected number of the first parties subscription services providing the 
selected number of first parties with assurances of the security measures of the selected number 
of second parties upon request (Figures 1 [block 1 1 1], 2 [blocks 220, 221], paragraphs [0035], 
[0037], [0067], i.e. subscriber's request for information); and 

providing the assurances of the security measures of the selected number of second 
parties to the selected number of first parties (Figures 3 [block 319], 4 [block 418], 5 [block 517] 
paragraph [0013], [0031], [0032], [0088], [0091], [0097], i.e. convey that a financial institution 
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complies with government standards relating to risk containment, scrubbed and augmented data 
is transmitted to a subscriber that relates risk variable involved in a financial transaction). 

9. Regarding claims 2 and 13, Lawrence teaches updating the security measures information 
stored in the database for each vendor periodically (paragraphs [0079, [0094], i.e. ongoing 
monitoring). 

10. Regarding claim 3, Lawrence teaches updating the security measures information stored 
in the database upon a notification by a respective second party (paragraphs [0031], [0039], i.e. a 
financial institution can integrate a risk management clearinghouse) and verification by a third 
party (paragraph [0080], i.e. source of risk variable by other provider of risk management data, 
such as a government agency). 

1 1 . Regarding claims 4 and 1 1 , Lawrence teaches wherein the acquisition, compilation and 
storage of the security measures information of the selected number of second parties is 
performed at no cost to the selected number of second parties (Figures 3 [block 312], 4 [block 
410], paragraphs [0031], [0079], i.e. gathers and stores information in a database related to a risk 
assessment of a party involved in a financial transaction). Lawrence makes no mention of a cost, 
fee or surcharge associated with the accumulation of risk related data anywhere in the patent 
application. 
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12. As per claim 8, Lawrence teaches a method for providing security information on a 
plurality of vendors to a plurality of clients, comprising: 

providing an assessment of security procedures for each of the plurality of vendors 
(Figures 3 [block 312], 4 [block 410], paragraphs [0031], [0079], i.e. gathers and stores 
information in a database related to a risk assessment of a party involved in a financial 
transaction); 

storing each assessment in a vendor security database (Figures 1 [block 1 12], 2 [block 
210], paragraphs [0031], [0042], [0043], [0054], [0058], [0060]); 

providing access to the vendor security database to each client to allow each client to 
review the plurality of assessments (Figures 3 [block 319], 4 [block 418], 5 [block 517] , 
paragraphs [0063], [0086], i.e. a subscriber will be able to access the database). 

13. Regarding claim 14, Lawrence teaches wherein the assessment is updated whenever the 
vendor updates its security procedures, the updates are verified and provided to the VMS 
(paragraphs [0093], [0094], i.e. RMC monitors for and stores updates). 

14. Regarding claim 15, Lawrence teaches wherein each assessment comprises one or more 
of S AS70 reports, Penetration Reports, Information Security Policies, Computer Incident 
Response Policies, DR Plans, Business Resumption Plans, Insurance Coverages, 3rd Party 
Vendor Management Policies & Programs and Annual Financial Reports (paragraphs [0003]- 
[0005], [0008], [0017], [0035], i.e. SAS 70 reports include the suspicious activity reports 
disclosed in Lawrence). 
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Claim Rejections - 35 USC § 103 

15. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

16. Claims 5-7, 9, 10, 12, 16, and 17 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Lawrence in view of U.S. Patent Application Publication No. 2004/0193907 to 
Patanella, hereinafter Patanella. 

17. Regarding claims 5 and 12, Lawrence teaches wherein the access provided to each client 
is a subscription service (Figures 1 [block 1 1 1], 2 [blocks 220, 221], paragraphs [0035], [0037], 
[0067]). 

18. Lawrence does not teach rendering the subscription services for a fee. 

19. Patanella discloses a cost-effective method for assessing a network for compliance with a 
number of regulations, policies, or standards in paragraph [0008]. One of ordinary skill in the 
art would infer that since there is a cost associated with the method, therefore a fee could be 
charged to subscribers. 

20. It would have been obvious to one of ordinary skill in the art at the time the invention 
was made to render the subscription services for a fee, since Patanella states at paragraph [0006] 
that the reporting capabilities of the previous system are immature and require highly technical 
personnel to analyze and make sense out of the results. Therefore, one of ordinary skill in the art 
would recognize the need for a subscription fee to pay the technical personnel to translate and 
present the reports to the users in a clear and concise manner. 
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21 . Regarding claims 6, 7, 16 and 17, Lawrence does not teach providing a rating for each 
second party based upon a type of the confidential information and the security measures of the 
vendor. 

22. Patanella teaches providing a rating for each second party (Figure 7, paragraph [0017], 
i.e. low risk, medium risk, high risk, information risk) based upon a type of the confidential 
information (paragraphs [0069], [0070], i.e. compares to industry average, for example, for 
financial institutions) and the security measures of the vendor (paragraphs [0017], [0069], 
[0070], i.e. defining the security levels, such as high risk refers to the system being 
compromised, that requires immediate attention). 

23. It would have been obvious to one of ordinary skill in the art at the time the invention 
was made to provide a rating based upon confidential information and/or security measures of 
the vendor, since Patanella states at paragraph [0008] and [0069] that providing a rating allows 
the user to view the most vulnerable systems in a ranking that is cost-efficient and permits the 
user to see which systems require the most attention, as well as suggest possible fixes to patch 
certain vulnerabilities. 

24. Regarding claims 9 and 1 0, Lawrence does not teach wherein the assessment is provided 
at cost or fee to the vendor. 

25. Patanella discloses a cost-effective method for assessing a network for compliance with a 
number of regulations, policies, or standards in paragraph [0008]. One of ordinary skill in the 
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art would infer that since there is a cost associated with the method, therefore some type of cost 
or fee could be charged to the vendor. 

26. It would have been obvious to one of ordinary skill in the art at the time the invention 
was made to charge the vendor, since Patanella states at paragraph [0006] that the reporting 
capabilities of the previous system are immature and require highly technical personnel to 
analyze and make sense out of the results. Therefore, one of ordinary skill in the art would 
recognize the need for a charge to the vendor to pay the technical personnel to translate and 
present the reports to the users in a clear and concise manner. 

Conclusion 

27. The prior art made of record and not relied upon is considered pertinent to applicant's 
disclosure. 

28. The following patents are cited to further show the state of the art with respect to 
compliance assessment, such as: 

United States Patent Application Publication No. 2003/0004754 to Krutz, which is cited 
to show evaluating compliance with the Health Insurance Portability and Accountability Act. 

United States Patent Application Publication No. 2003/0236742 to Lawrence, which is 
cited to show managing risk associated with hedge funds. 

United States Patent Application Publication No. 2004/0024693 to Lawrence, which is 
cited to show analysis and quantification of proprietary risk associated with financial institutions. 

United States Patent Application Publication No. 2002/0178046 to Lawrence, which is 
cited to show a risk management clearinghouse to evaluate compliance with financial 
regulations. 
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United States Patent Application Publication No.2004/0 1 939 1 8 to Green et al., which is 
cited to show network vulnerability detection and compliance assessment. 

United States Patent Application Publication No. 2004/0128186 to Breslin et al., which is 
cited to show managing risks associated with outside service providers. 

United States Patent No. 2003/0149578 to Wong, which is cited to show evaluating the 
risks involved in a financial transaction. 

29. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Christian La Forgia whose telephone number is (571) 272-3792. 
The examiner can normally be reached on Monday thru Thursday 7-5. 

30. If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz Sheikh can be reached on (571) 272-3795. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

3 1 . Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.. 



Christian LaForgia 
Patent Examiner . 
Art Unit 2131 ( 
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